----- Original Message -----
From: "Gary McKinney" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, April 01, 2004 10:12 PM
Subject: Re: Alan
> Hi Alan,
>
> Basically:
>
> When you have a client machine that is connecting to a NAS using EAP/TLS
> and variations thereof the encrypted path is ONLY between the client
machine
> and the NAS (be it wired or wireless).
>
> The Radius server provides the inital encryption path between the client
> machine
> and the radius server only during the authentication/authorization phase
of
> the
> connection process. The radius server uses the TLS side of the connection
> for
> the authorization transactions once the TLS tunnel is established and
> creditials
> have been verified (by virtue of the security certificates both the radius
> server
> and client machine have installed) ...
> with TTLS only the radius server has a certificate and the encryption
phase
> is
> handled by a certificate generated on the radius server to that specific
> session -
> once validated the NAS and the client machine receive an encryption key to
> use
> during the connection session (and the key is renewed with a new key for
the
> NAS and client machine every so often - 300 seconds I think is the default
> setting in FreeRadius's configuration file)....
>
> If you need encryption from the client machine to a distant
> server/workstation
> the you will need to implement some additional encryption mechanism
between
> those end-points as the PEAP/TLS session is ONLY between the NAS and
> client machine connecting to the NAS...
>
> I hope this helps....
>
> Gary N. McKinney
>
Gary,
Thanks for the help. With my PEAP/TLS implementation (which appears to be
working) my client machine, which is running win XP sp1, asks me for
credientials eg. username/password, and if the user exists in the users file
then I will be authenticated. However, I never installed the openssl
generated certificate on the client side. In my eap.conf file:
eap {
default_eap_type = peap
etc......
}
all tls info is correct, and
peap {
default_eap_type=mschapv2
}
Is the client side cert. automatically accepted? Also, I have wep key is
provided for me checked on my XP machine and everything still functions
fine. Is the freeradius server providing a wep key to the client machine?
Thanks,
Alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
